DPA contests home

Introduction

News

Rules

Download

Documentation

Traces Tables

Participate

Hall of Fame

Frequently Asked Questions

Acknowledgments

How to Play?

This page describes the steps required to participate to this edition of the DPA contest:

  1. Inform us of your intentions to participate (optional)
  2. Download and install the tools
  3. Develop and test your attack
  4. Submit your attack for evaluation

Inform us (optional)

Download and install the tools

For this edition of the contest, we have developed tools that allow you to test your attack on our public trace database to have an idea of its performances before the real evaluation on our private trace database.

The tools exist in different version according to the language and operating system you will use to develop your attack:

Unix (Programming language or Matlab)

Traces

We provide us with two trace sets: the template base and the public base (see the Rules page for more information). You can use these traces to test your attack and have a first idea about its performances.

There are two methods to access these traces: remotely by using our PostgreSQL database server or locally by downloading them. The second method requires some disk space to store all the traces (9 GBytes) but access to the traces will be a lot faster (no further network access) and easier. Note: the first method is often impossible if you have a restrictive firewall (this is often the case in companies or in universities).

If you choose the second method (which is recommended), you have to download the traces. The two trace archives are large so they have been divided into several parts. Go to the Download page and download the following files into a new directory:

Next, check the integrity of the downloaded files (as they are quite large, the download may sometimes fail) using the md5sum command (on some Unixes, such as Mac OS X, the command is named md5 instead of md5sum) inside the directory where you have downloaded them:

$ md5sum *

Compare the results of this command with the results given on the Download page. If the MD5 hash of a file does not match, the file is corrupted so download it again.

Next, rebuild the two archives and delete partial files with the commands:

$ cat DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part{0..3} > DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2
$ rm DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part{0..3}
$ cat DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part{0..5} > DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2
$ rm DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part{0..5}

Finally, decompress and extract the archives (if you want to keep a copy of the archives, do not execute the last two commands):

$ bunzip2 DPA_contest2_public_base_index_file.bz2
$ bunzip2 DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2
$ bunzip2 DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2
$ tar xf DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar
$ tar xf DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar
$ rm DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar
$ rm DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar

Now, you have the file DPA_contest2_public_base_index_file which contains the list of traces in the public base (it is used by the attack wrapper) and two directories containing the traces of the public (DPA_contest2_public_base_diff_vcc_a128_2009_12_23) and the template (DPA_contest2_template_base_diff_vcc_a128_2009_12_23) base.

Tools

Now, you have to download and install two tools: the attack wrapper and the metric computation tool. The attack wrapper launches your attack, retrieves traces either from our database server or from files on your disk, supplies them to your attack, retrieves results and stores them for subsequent exploitation. The metric computation tools gathers results collected during one or several execution of your attack by the attack wrapper, and computes the different metrics we have chosen for this edition of the contest (see the Rules page for more information about the metrics we use).

Download the archive attack_wrapper-1.1.1.tar.gz and extract it:

$ gunzip attack_wrapper-1.1.1.tar.gz
$ tar xf attack_wrapper-1.1.1.tar
$ cd attack_wrapper-1.1.1

If you have downloaded the traces, configure the tools using the following command:

$ ./configure --with-postgresql=no

If you have not downloaded the traces and want to use traces remotely from our database server, configure the tools using the following command:

$ ./configure --with-postgresql=yes

During the execution of the configuration script, check for any errors. If everything works properly, compile the two tools using the following command:

$ make

If the compilation works properly, the two executables (attack_wrapper and compute_results) are stored in the src directory. How can leave them here or you can copy them into a more convenient directory.

You can now jump to the next step: Develop and test your attack.

Windows

Traces

We provide us with two trace sets: the template base and the public base (see the Rules page for more information). You can use these traces to test your attack and have a first idea about its performances.

First, you have to download the traces. The two trace archives are large so they have been divided into several parts. Go to the Download page and download the following files into a new directory:

Next, check the integrity of the downloaded files (as they are quite large, the download may sometimes fail) using the md5sum tool inside the directory where you have downloaded them. To do this, you need to open a console (Start / All Programs / Accessories / Command Prompt or Start / Run / cmd.exe).

Go to the disk where you have downloaded the traces and the md5sum tool (in this example D:):

C:\>D:

Next, go to the directory where you have downloaded the traces (in this example D:\DPA):

D:\>cd DPA

Next run the md5sum tool:

D:\DPA>md5sum *

Compare the results of this command with the results given on the Download page. If the MD5 hash of a file does not match, the file is corrupted so download it again.

Next, rebuild the two archives and delete partial files with the commands:

D:\DPA>copy /b DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part0 +DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part1 +DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part2 +DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part3 DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2

D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part0
D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part1
D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part2
D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part3

D:\DPA>copy /b DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part0 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part1 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part2 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part3 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part4 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part5 DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2

D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part0
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part1
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part2
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part3
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part4
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part5

Finally, decompress and extract the archives. The archives were created using the default Unix tar and bzip2 tools. By default Windows do not have them so you can use, for instance, 7-zip to decompress and extract them.

Now, you have two directories containing the traces of the public (DPA_contest2_public_base_diff_vcc_a128_2009_12_23) and the template (DPA_contest2_template_base_diff_vcc_a128_2009_12_23) base.

Tools

Now, you have to download and install two tools: the attack wrapper and the metric computation tool. The attack wrapper launches you attack, retrieves traces from files on your disk, supplies them to your attack, retrieves results and stores them for subsequent exploitation. The metric computation tools gathers results collected during one or several execution of your attack by the attack wrapper, and computes the different metrics we have chosen for this edition of the contest (see the Rules page for more information about the metrics we use).

The two tools comes in the form of a Microsoft Visual Studio 2008 project containing the C# source code of the two tools and the base framework to develop and test your attack. If you do not have Microsoft Visual Studio 2008 or newer, you can download Microsoft Visual C# Express (note: it is your responsibility to check the licence of this product to see if you have the right to download it).

Download and uncompress the archive attack_wrapper_windows-1.1.0.zip and open the project with Microsoft Visual Studio/C#.

You can now jump to the next step: Develop and test your attack.

Matlab on Windows

Traces

We provide us with two trace sets: the template base and the public base (see the Rules page for more information). You can use these traces to test your attack and have a first idea about its performances.

First, you have to download the traces. The two trace archives are large so they have been divided into several parts. Go to the Download page and download the following files into a new directory:

Next, check the integrity of the downloaded files (as they are quite large, the download may sometimes fail) using the md5sum tool inside the directory where you have downloaded them. To do this, you need to open a console (Start / All Programs / Accessories / Command Prompt or Start / Run / cmd.exe).

Go to the disk where you have downloaded the traces and the md5sum tool (in this example D:):

C:\>D:

Next, go to the directory where you have downloaded the traces (in this example D:\DPA):

D:\>cd DPA

Next run the md5sum tool:

D:\DPA>md5sum *

Compare the results of this command with the results given on the Download page. If the MD5 hash of a file does not match, the file is corrupted so download it again.

Next, rebuild the two archives and delete partial files with the commands:

D:\DPA>copy /b DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part0 +DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part1 +DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part2 +DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part3 DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2

D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part0
D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part1
D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part2
D:\DPA>del DPA_contest2_public_base_diff_vcc_a128_2009_12_23.tar.bz2.part3

D:\DPA>copy /b DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part0 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part1 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part2 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part3 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part4 +DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part5 DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2

D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part0
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part1
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part2
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part3
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part4
D:\DPA>del DPA_contest2_template_base_diff_vcc_a128_2009_12_23.tar.bz2.part5

Finally, decompress and extract the archives. The archives were created using the default Unix tar and bzip2 tools. By default Windows do not have them so you can use, for instance, 7-zip to decompress and extract them.

Now, you have two directories containing the traces of the public (DPA_contest2_public_base_diff_vcc_a128_2009_12_23) and the template (DPA_contest2_template_base_diff_vcc_a128_2009_12_23) base.

Tools

Now, you have to download and install two tools: the attack wrapper and the metric computation tool. The attack wrapper launches you attack, retrieves traces from files on your disk, supplies them to your attack, retrieves results and stores them for subsequent exploitation. The metric computation tools gathers results collected during one or several execution of your attack by the attack wrapper, and computes the different metrics we have chosen for this edition of the contest (see the Rules page for more information about the metrics we use).

The two tools comes in the form of a Microsoft Visual Studio 2008 project containing the C# source code of the two tools and a pre-compiled version of them. To develop your attack in Matlab, you do not need Visual Studio, you just need a recent version of the Microsoft .NET framework.

Download and uncompress the archive attack_wrapper_windows-1.1.0.zip.

You also need the Matlab .m file that you have to use as a base for your attack: attack_win.m.

You can now jump to the next step: Develop and test your attack.

Develop and test your attack

One you have install the required tools, you can now develop and test your attack. To illustrate this step, we will take the reference attack as an example. As for the previous step, the instructions depend on the language and operating system you plan to use:

If you want to develop an attack that also use the template base (whatever the operating system or the language you use), please also look at the appropriate section of the FAQ.

Unix (Linux)

Development

Now, you have an idea of a powerful attack and you want to code it. What is an attack? An attack is a program that receives traces from the attack wrapper, processes them and sends the results to the attack wrapper. The communication protocol between the attack wrapper and our attack program is documented on the Documentation page. Your program reads traces from its standard input and sends results on its standard output. This method allows you to develop your attack in the programming language of your choice.

To illustrate this, you can look at the reference attack which is developed in C++ (the same attack, developed in Python, is available in the examples directory of the attack wrapper). Download the reference attack using this link: reference_attack-1.0.1.tar.gz, extract it and compile it using the following commands:

$ gunzip reference_attack-1.0.1.tar.gz
$ tar xf reference_attack-1.0.1.tar
$ cd reference_attack
$ make

Attack launch

Once you have developed and compiled your attack (or if you want to try the reference attack), you can test it with the attack wrapper. Options accepted by the attack wrapper are listed below:

If you have downloaded the traces, you can invoke the attack wrapper using the following command:

$ attack_wrapper -i 10 -k 0 -o results_k0.txt -d DPA_contest2_public_base_diff_vcc_a128_2009_12_23 -x DPA_contest2_public_base_index_file attack_reference

If you want to use traces remotely from our database server, use the following command:

$ attack_wrapper -i 10 -k 0 -o results_k0.txt attack_reference

On the two command, you may need to adapt the following paths:

The command above will launch the attack wrapper with your attack using the first key of the public base and on only 10 traces. The human readable results (rank of each byte key after each trace) is stored into the file results_k0.txt. Thus you can check if something goes wrong.

If everything seems to work, you can launch your attack on all the traces by replacing -i 10 with -i 20000 and adding the -b option to store results in binary (this is required by the metric computation tool). You can repeat this process for all the 32 keys of the public base (replace -k 0 with the number of the key, from 0 to 31, and do not forget to change the name of the output file in order not to destroy previous results.

Computation of result metrics

Once you have one or more binary result files (for one or more keys), you can launch the metric computation tool using the command (add or remove result files at the end of the command):

$ compute_results results_k0 results_k1 results_k2

The tool will analyze the result files and produce several text files containing the different metrics. Theses files are human readable and can be plotted using gnuplot.

You can now jump to the last step: Submit your attack for evaluation.

Windows

Development

Now, you have an idea of a powerful attack and you want to code it. What is an attack? With the Windows version of the framework, an attack is a C# class (it should normally be possible to develop this class with any language compatible with the .NET framework but this possibility was not tested yet) which inherits from the AttackBase class.

The class implementing your attack must inherit from the AttackBase class and implements a constructor (which initializes the different data structures you use during your attack and which initializes the subkey_num field which contains the number of the subkey you will attack (0 represents the main 128 bits AES key, 1 represents the first subkey, ..., 10 represents the subkey used during the last round)), and the following methods:

public override PartialResult attackPhase(Trace trace)

This method contains the code representing one iteration of your attack against the real traces (either from the public or private base). This method receives one argument which is an object from the class Trace which contains the data of the input trace (plaintext, ciphertext and samples) and returns an instance of the class PartialResult which represents the result of your attack against the trace consumed up to now (for each subkey bytes, the 256 possible values of this subkey byte sorted from the most probable to the least probable). For details about the Trace or PartialResult class, consult the comments inside the source code of these two classes.

So, create a new class inside the AttackWrapper project (we will name it XXAAttack for example). Make it inherits from AttackBase class, implements the constructor, and the performProfilingPhase and attackPhase methods.

Next, modify the Program.cs file and replace the line:

this.attack = new ReferenceAttack();

with a line which instantiate your attack:

this.attack = new XXAAttack(...);

Finally, compile the project and resolve any compilation error if any.

Attack launch

Once you have developed and compiled your attack (or if you want to try the reference attack), you can test it. The AttackWrapper program created by the compilation of the project takes 4 arguments on the command line:

To launch it, launch a command line, go to the directory where Microsoft Visual C# has compiled the AttackWrapper project and execute:

D:\...>AttackWrapper.exe 0 10 result_k0.dat D:\DPA\DPA_contest2_public_base_diff_vcc_a128_2009_12_23

The command above will launch the attack wrapper with your attack using the first key of the public base and on only 10 traces.

If everything seems to work, you can launch your attack on all the traces by replacing 10 with 20000. You can repeat this process for all the 32 keys of the public base (replace 0 with the number of the key, from 0 to 31, and do not forget to change the name of the output file in order not to destroy previous results.

Computation of result metrics

Once you have one or more binary result files (for one or more keys), you can launch the metric computation tool using the command (add or remove result files at the end of the command):

D:\...>ComputeResults.exe results_k0.dat results_k1.dat results_k2.dat

The tool will analyze the result files and produce several text files containing the different metrics. Theses files are human readable and can be plotted using gnuplot.

You can now jump to the last step: Submit your attack for evaluation.

Matlab (Unix)

Development

Now, you have an idea of a powerful attack and you want to code it. What is an attack? An attack is a program that receives traces from the attack wrapper, processes them and sends the results to the attack wrapper. The communication protocol between the attack wrapper and our attack program is documented on the Documentation page. Your program reads traces from a FIFO (named pipe) and sends results to an other FIFO.

To facilitate the development of an attack with Matlab, we provide you with an attack template. You can find it in the src directory of the attack wrapper under the name attack.m.

Open it and modify it to implement your attack (search for TODO comments to identify the lines to modify). You will have to modify the name of the input and output FIFO (given during the launch of the attack wrapper below), the number of the attacked subkey, and the code of the attack.

Attack launch

Once you have developed, you can test it with the attack wrapper. Options accepted by the attack wrapper are listed below:

If you have downloaded the traces, you can invoke the attack wrapper using the following command:

$ attack_wrapper -f -i 10 -k 0 -o results_k0.txt -d DPA_contest2_public_base_diff_vcc_a128_2009_12_23 -x DPA_contest2_public_base_index_file fifo

If you want to use traces remotely from our database server, use the following command:

$ attack_wrapper -f -i 10 -k 0 -o results_k0.txt fifo

On the two command, you may need to adapt the following paths:

The command above will launch the attack wrapper using the first key of the public base and on only 10 traces. Once the wrapper is launched and ready, launch your attack in Matlab. The human readable results (rank of each byte key after each trace) is stored into the file results_k0.txt. Thus you can check if something goes wrong.

If everything seems to work, you can launch your attack on all the traces by replacing -i 10 with -i 20000 and adding the -b option to store results in binary (this is required by the metric computation tool). You can repeat this process for all the 32 keys of the public base (replace -k 0 with the number of the key, from 0 to 31, and do not forget to change the name of the output file in order not to destroy previous results.

Computation of result metrics

Once you have one or more binary result files (for one or more keys), you can launch the metric computation tool using the command (add or remove result files at the end of the command):

$ compute_results results_k0 results_k1 results_k2

The tool will analyze the result files and produce several text files containing the different metrics. Theses files are human readable and can be plotted using gnuplot.

You can now jump to the last step: Submit your attack for evaluation.

Matlab (Windows)

Development

Now, you have an idea of a powerful attack and you want to code it. What is an attack? An attack is a Matlab program that receives traces from the attack wrapper, processes them and sends the results to the attack wrapper. The communication between the wrapper and Matlab is done using the .NET external interface of Matlab.

To facilitate the development of an attack with Matlab, we provide you with an attack template (attack_win.m).

Open it and modify it to implement your attack (search for TODO comments to identify the lines to modify). You will have to modify the following parameters:

And implement your attack at the indicated position in the file. Read the comments to see how to manipulated the inputs and outputs of your attack.

Attack launch

Once you have developed your attack, you can test it with Matlab by launching the execution of the .m file: attack_win (if you are in the correct directory). If you see a problem of permission for IO access, look at the FAQ page.

Computation of result metrics

Once you have one or more binary result files (for one or more keys), you can launch the metric computation tool using the command (add or remove result files at the end of the command):

D:\...>ComputeResults.exe results_k0.dat results_k1.dat results_k2.dat

The tool will analyze the result files and produce several text files containing the different metrics. Theses files are human readable and can be plotted using gnuplot.

You can now jump to the last step: Submit your attack for evaluation.

Submit your attack for evaluation

Once your attack is working and you are satisfied with its results, you can send it to us. We will run it against the traces from the private database and send you the results of this evaluation.

According to a small change in the rules, before sending your attack, you must have been able to run it on all the 20,000 traces of at least one of the keys of the public base, and check that the time needed to evaluate all these 20,000 traces, on a normal computer, does not exceed 48 hours.

Although the official deadline for submission to the DPA contest v2 has passed, you can continue to submit your attack to the contest. It will be evaluated as quickly as possible and the results will be published on the Hall of Fame.

To submit your attack, send us (submission@dpacontest.org) a mail with your name, address, institution and an archive (zip, tar, tar.gz or tar.bz2) containing the all the source code of your attack, additional libraries if you use non-standard ones, and a binary version of your attack.

We will next send you three mails. One when we receives your attack, one when we succeed to launch it on some traces and one when we finished the complete evaluation with the results.

The results will contain: